Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

Subject: pix NAT issue

Original Message
Name: sword
Date: December 11, 2007 at 02:14:36 Pacific
Subject: pix NAT issue
OS: win xp
CPU/Ram: 3 GHz; 512
Model/Manufacturer: cisco
Comment:
hi
first review the syntax

ip address outside60.181.111.210 255.255.255.252
ip address inside 192.168.253.1 255.255.255.0
ip address dmz 60.181.111.193 255.255.255.240

nat (dmz) 0 60.181.111.192 255.255.255.240
nat (inside) 2 192.168.250.128 255.255.255.192
global (outside) 2 60.181.111.194

this is the running configuration which is allowing the internal host to communicate from inside to outside interface. But boss told me to enable access from inside to dmz also, for that i added the following command

nat (dmz) 0 60.181.111.192 255.255.255.240
nat (inside) 2 192.168.250.128 255.255.255.192
global (outside) 2 60.181.111.194
global (dmz) 2 60.181.111.195

The dmz's public IPs stop browsing to outside. why?

and i also addedd the ping trace command

access-list icmp_acl permit icmp any any
access-group icmp_acl in interface dmz

any idea and if i am wrong than what is the appropriate approach of the command

Thank you


Report Offensive Message For Removal

Response Number 1
Name: Curt R
Date: December 11, 2007 at 07:26:18 Pacific
Subject: pix NAT issue
Reply: (edit)
ip address outside60.181.111.210 255.255.255.252

I don't know that much about PIX configuration but I believe there should be a space between "outside" and "60". I'm not sure if that will make a difference or not but it did jump out at me.


Report Offensive Follow Up For Removal

Response Number 2
Name: sword
Date: December 12, 2007 at 04:50:36 Pacific
Subject: pix NAT issue
Reply: (edit)
my dear its a typing mistake otherwise pix would'nt take that command

please any one help me out in this deep trouble here is more detail:

inside ip 192.168.253.0/24
outside 60.181.111.210/30
dmz ip 60.181.111.192/28


now answering in more detail is that the existing commands was working great. The defined inside(private ip) and dmz(public ip) user were accessing internet successfully.

The enhacment which i have to do was that the inside user should access outside as well as dmz. for that i addedd the blue lined command(previously talked) on the existing command,actually the following command

nat (inside) 2 192.168.250.128 255.255.255.192
global (outside) 2 60.181.111.194

is allowing the inside user to the outside world(patting) and i thought that if i add the

global (dmz) 2 60.181.111.195

it will allow the inside user to access the dmz as well, because NAT is used to allow traffic from high security interface(inside) to lower security interface (dmz).
And access list is used to allow traffic from low sec interface to high sec int

i think i have to add a NAT command with a new NAT "ID" that is

nat (inside) 3 192.168.250.128 255.255.255.192
global (dmz) 3 60.181.111.195

what do you people say abt this?

Thank you


Report Offensive Follow Up For Removal



Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: pix NAT issue

Comments:
         

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 


Data Recovery Software



Version Tracker Pro
Keep your software current and secure, effortlessly
Click Here for a Free Scan

Driver Agent
Automatically find the latest drivers for your computer.
 Click Here for a Free Scan

The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC